L'Ateneo: la nostra infrastruttura è stata oggetto di un grave attacco informatico che ha reso inaccessibili i siti web
Attacco hacker a Roma Tre, siti dell'università inaccessibili. Lo rende noto la stessa Università, spiegando che «nella notte dell’8 maggio, si è registrata una interruzione dei servizi informatici di Ateneo. A seguito delle operazioni di verifica effettuate già nella notte e proseguite per tutta la mattina del 9 si è potuto constatare che l'infrastruttura dell'Ateneo è stata oggetto di un grave attacco informatico che ha reso inaccessibili i siti web di Ateneo».
CVE-2025-37752 is an Array-Out-Of-Bounds vulnerability in the Linux network packet scheduler, specifically in the SFQ queuing discipline. An invalid SFQ limit and a series of interactions between SFQ and the TBF Qdisc can lead to a 0x0000 being written approximately 256KB out of bounds at a misaligned offset. If properly exploited, this can enable privilege escalation.
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, rand-user-agent@1.0.110. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads.
What is the package?
The package rand-user-agent generates randomized real user-agent strings based on their frequency of occurrence. It’s maintained by the company WebScrapingAPI (https://www.webscrapingapi.com/).
Our analysis engine detected suspicious code in the file dist/index.js. Lets check it out, here seen through the code view on npm’s site:
We’ve got a RAT (Remote Access Trojan) on our hands. Here’s an overview of it:
Behavior Overview
The script sets up a covert communication channel with a command-and-control (C2) server using socket.io-client, while exfiltrating files via axios to a second HTTP endpoint. It dynamically installs these modules if missing, hiding them in a custom .node_modules folder under the user's home directory.
Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Government to roll out passkey technology across digital services as an alternative to SMS-based verification.
Arkadiusz Wargula via Getty Images
Government set to roll out passkey technology across digital services later this year.
SMS-based verification to be replaced by more secure, cost-effective solution.
NCSC joins FIDO Alliance to shape international passkey standards.
The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.
Announced on the first day of the government’s flagship cyber security event, CYBERUK, the move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security.
Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input.
This method is more secure because the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey.
The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale, and the UK is already leading internationally with the NHS becoming one of the first government organisations in the world to offer passkeys to users.
In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password, and SMS code.
A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system.
This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.
RSAC: Can we turn to govt, academic models instead?
Corporate AI models are already skewed to serve their makers' interests, and unless governments and academia step up to build transparent alternatives, the tech risks becoming just another tool for commercial manipulation.
That's according to cryptography and privacy guru Bruce Schneier, who spoke to The Register last week following a keynote speech at the RSA Conference in San Francisco.
"I worry that it'll be like search engines, which you use as if they are neutral third parties but are actually trying to manipulate you. They try to kind of get you to visit the websites of the advertisers," he told us. "It's integrity that we really need to think about, integrity as a security property and how it works with AI."
During his RSA keynote, Schneier asked: "Did your chatbot recommend a particular airline or hotel because it's the best deal for you, or because the AI company got a kickback from those companies?"
To deal with this quandary, Schneier proposes that governments should start taking a more hands-on stance in regulating AI, forcing model developers to be more open about the information they receive, and how the decisions models make are conceived.
He praised the EU AI Act, noting that it provides a mechanism to adapt the law as technology evolves, though he acknowledged there are teething problems. The legislation, which entered into force in August 2024, introduces phased requirements based on the risk level of AI systems. Companies deploying high-risk AI must maintain technical documentation, conduct risk assessments, and ensure transparency around how their models are built and how decisions are made.
Because the EU is the world's largest trading bloc, the law is expected to have a significant impact on any company wanting to do business there, he opined. This could push other regions toward similar regulation, though he added that in the US, meaningful legislative movement remains unlikely under the current administration.
The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates data via a covert C2 channel.
On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk.
The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid.
Discord’s developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third-party apps, Discord has rapidly evolved into a platform where developers not only build but also live test, share, and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools, and code snippets are shared freely and often used with little scrutiny. It’s within these trusted peer-to-peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like discordpydebug under the guise of debugging utilities.
The fact that this package was downloaded over 11,000 times, despite having no README or documentation, highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMs, or Discord server threads, such packages can gain traction before ever being formally vetted.
Depuis la fin de l’année 2023, VIGINUM observe et documente les activités d’un mode opératoire informationnel russe susceptible d’affecter le débat public numérique francophone et européen, connu sous le nom de « Storm-1516 ».
Le mode opératoire informationnel (MOI) Storm-1516, actif depuis plus d’un an et demi, est responsable de plusieurs dizaines d’opérations informationnelles ayant ciblé des audiences occidentales, dont française. S’appuyant sur l’analyse de 77 opérations informationnelles documentées par VIGINUM et conduites par Storm-1516 entre la date de son apparition supposée et le 5 mars 2025, ce rapport détaille les principaux narratifs et contenus employés, leur chaîne de diffusion, ainsi que les acteurs étrangers impliqués dans la conduite du MOI.
L’analyse par VIGINUM de ces différentes opérations informationnelles démontre que le dispositif d’influence informationnelle russe a investi des efforts conséquents pour coordonner les actions d’un important réseau d’acteurs, d’organisations et de MOI agissant depuis le territoire russe et dans les pays ciblés, et ce depuis le début de l’invasion à grande échelle de l’Ukraine par la Russie en 2022.
Storm-1516 constitue aujourd’hui un mode opératoire informationnel mature, qui offre à ses commanditaires la capacité de mener à la fois des actions de court terme en réaction à l’actualité, mais également de s’inscrire dans des stratégies de long terme, visant à décrédibiliser des personnalités ou des organisations européennes et nord-américaines, notamment en amont de grands événements et de processus électoraux.
Si l’impact réel sur le débat public numérique demeure difficile à estimer, VIGINUM observe que de nombreux narratifs propagés via ce MOI ont atteint une visibilité très importante en ligne, et qu’ils sont parfois repris, de manière inconsciente ou opportuniste, par des personnalités et des représentants politiques de premier plan.
Les opérateurs de Storm-1516 poursuivent aujourd’hui leurs activités avec un rythme opérationnel soutenu, et devraient très probablement continuer à adapter leurs TTPs, notamment pour crédibiliser davantage leurs contenus, tenter de contourner les mécanismes de modération des plateformes, gêner le suivi et l’imputation technique de leurs activités, ou encore renouveler leurs infrastructures d’attaque.
Au regard de ces éléments, VIGINUM considère que les activités de Storm-1516 réunissent les critères d’une ingérence numérique étrangère, et représentent une menace importante pour le débat public numérique français et européen.
The presence of credentials in leaked “stealer logs” indicates his device was infected.
Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.
Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US.
A steady stream of published credentials
According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps.
“I have no way of knowing exactly when Schutt's computer was hacked, or how many times,” Lee wrote. “I don't know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.”
Overview: Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship
Overview:
Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship management software product. It’s often used to record customer calls, monitor customer reviews, share surveys and track feedback.
Microsoft 365 is used by over 2 million organizations worldwide. At least 500,000 organizations use Dynamics 365 Customer Voice, including 97% of Fortune 500 companies.
In this campaign, cyber criminals send business files and invoices from compromised accounts, and include fake Dynamics 365 Customer Voice links. The email configuration looks legitimate and easily tricks email recipients into taking the bait.
As part of this campaign, cyber criminals have deployed over 3,370 emails, with content reaching employees of over 350 organizations, the majority of which are American. More than a million different mailboxes were targeted.
Affected entities include well-established community betterment groups, colleges and universities, news outlets, a prominent health information group, and organizations that promote arts and culture, among others.
In April of 2025, Rapid7 discovered and disclosed three new vulnerabilities affecting SonicWall Secure Mobile Access (“SMA”) 100 series appliances (SMA 200, 210, 400, 410, 500v). These vulnerabilities are tracked as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821. An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution. These vulnerabilities have been fixed in version 10.2.1.15-81sv.
Rapid7 would like to thank the SonicWall security team for quickly responding to our disclosure and going above and beyond over a holiday weekend to get a patch out.
A vulnerability has been identified and remediated in all supported versions of the Commvault software. Webservers can be compromised through bad actors creating and executing webshells.
Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credential
Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point.
Further compounding the unfortunate situation, the actor was able to dump their database. This contained, as stated by Bleeping Computer, a number of tables such as bitcoin addresses, data about their build system such as bespoke builds for affiliates, A ‘chats’ table containing negotiation messages, which we’ll go through in a later post. And finally, of interest today, the usernames and passwords of LockBit agents using the console.
Of special importance, making our work markedly easier, these passwords were not hashed. Which sure is a choice, as an organization that performs ransomware attacks.
The vast majority of the passwords in this table as reasonably secure; it’s not solely hilariously weak credentials, but there still are a number that display poor security hygiene.
The weak passwords
Before going into my standard analysis, I’ll list off all of the weak passwords in question, and then we’ll go through the statistics of the whole set. The fun to highlight passwords:
Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.
On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and around $444,719 in compensatory damages.
This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.
WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”
Alsawah said the ruling “is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
NSO Group’s spokesperson Gil Lainer left the door open for an appeal.
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer said in a statement.
The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip."
LockBit dark web site defaced with link to database
As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database.
From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including:
A 'btc_addresses' table that contains 59,975 unique bitcoin addresses.
A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds.
A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt.
A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.
Affiliate panel 'chats' table
Affiliate panel 'chats' table
A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'.
In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost.
Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025.
It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.
Le 21 janvier 2025, au petit matin, David Balland, co-fondateur d’une start-up française spécialisée dans les crypto-monnaies, est enlevé avec sa compagne à leur domicile, dans le Cher. Une rançon est demandée. En moins de trois jours, les différentes unités de la gendarmerie mobilisées sur cette affaire conduisent les investigations, retrouvent les deux conjoints et interpellent dix malfaiteurs.
Le matin du 21 janvier 2025, un couple est enlevé à son domicile, à Vierzon, dans le Cher, par une équipe de malfaiteurs. David Balland est le co-fondateur de Ledger, une entreprise française spécialisée dans les crypto-monnaies. Les deux victimes sont aussitôt séparées et conduites en des lieux différents. Les ravisseurs contactent alors l’un des autres co-fondateurs de la start-up pour obtenir une rançon en monnaie électronique.
Concernant le volet cyber des investigations, l’Unité nationale cyber a déployé une quinzaine de ses gendarmes spécialistes, en appui de la S.R. de Bourges. « Notre action dans ce dossier a été double, a indiqué le colonel Hervé Pétry, commandant l’UNC. D'abord par une force de projection sur le terrain, pour appuyer les investigations par rapport à l'ensemble des supports numériques. Ces derniers ont été saisis de manière à geler la preuve, extraire les données, les traiter, les exploiter pour récupérer un maximum de preuves et d'informations nous permettant d'identifier et de localiser les individus pour retrouver les victimes. Nous avons pu progresser et transmettre les informations à la fois aux enquêteurs de la S.R. de Bourges et au GIGN, pour tout ce qui concerne le dispositif d'intervention et de recherches opérationnelles. Le deuxième aspect concerne des recherches effectuées à l'UNC, dont le siège est à Pontoise, en matière cette fois de cryptoactifs, d'identification, de traçabilité et de saisie. »
In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide. The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10.
The now defunct platforms – Cfxapi, Cfxsecurity, neostress, jetstress, quickdown and zapcut – are thought to have facilitated widespread attacks on schools, government services, businesses, and gaming platforms between 2022 and 2025.
The platforms offered slick interfaces that required no technical skills. Users simply entered a target IP address, selected the type and duration of attack, and paid the fee — automating attacks that could overwhelm even well-defended websites.
Global law enforcement response
The arrests in Poland were part of a coordinated international action involving law enforcement authorities in 4 countries, with Europol providing analytical and operational support throughout the investigation.
Dutch authorities have deployed fake booter sites designed to warn users seeking out DDoS-for-hire services, reinforcing the message that those who use these tools are being watched and could face prosecution. Data from booter websites, seized by Dutch law enforcement in data centres in the Netherlands, was shared with international partners, including Poland, contributing to the arrest of the four administrators.
The United States seized 9 domains associated with booter services during the coordinated week of action, continuing its broader campaign against commercialised DDoS platforms.
Germany supported the Polish-led investigation by helping identify one of the suspects and sharing critical intelligence on others.
Polish authorities have detained four suspects linked to six DDoS-for-hire platforms, believed to have facilitated thousands of attacks targeting schools, government services, businesses, and gaming platforms worldwide since 2022.
Such platforms are often marketed as legitimate testing tools on the dark web and hacking forums, but are mainly used to disrupt online services, servers, and websites by flooding them with traffic in distributed denial-of-service (DDoS) attacks and causing outages for real users.
The six DDoS services, named Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, have been taken down in a coordinated law enforcement action involving authorities from Germany, the Netherlands, Poland, and the United States.
"In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide," Europol said on Wednesday.
"The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."
Dass sich Betrüger auf Kleinanzeigenplattformen als Kaufinteressenten ausgeben und vorschlagen, den Kauf über einen angeblichen Paketdienst abzuwickeln, ist eine bereits bekannte Masche. Neu setzen sie jedoch gefälschte Postquittungen ein, um glaubwürdiger zu wirken.
Betrüger suchen gezielt nach Angeboten auf Kleinanzeigenportalen und kontaktieren die Verkäufer zunächst über den Plattform-Chat, später meist via WhatsApp.
Die Cyberkriminellen geben vor, beispielsweise über die Schweizerische Post den Artikel sowie die Lieferung bereits bezahlt zu haben. Dazu schicken sie den potenziellen Opfern ein Foto einer angeblichen Postquittung mit einem QR-Code, der für den Erhalt des Geldes gescannt werden müsse.
Der QR-Code führt zu einer gefälschten Website auf der die Cyberkriminellen vorgeben, der Kaufbetrag werde auf die persönliche Kreditkarte überwiesen. So versuchen sie, an die Kreditkartendaten zu gelangen.
I've been following the development of Deno for some time. It kind of pushes all my buttons: a Rust-based Node alternative with an active web developer community?? Yes please.
As a developer, I've been looking for excuses to use Deno because, frankly, it's so much fun. It makes JavaScript/TypeScript enjoyable again by shipping sane defaults and making delightful choices about dependency management.
Deno also has some truly incredible features that go beyond the web development ecosystem. I want to focus on these features. I've wanted to explore Deno from an offensive security perspective for some time, but a new development in version 2.3 made this imperative: deno.exe—the standalone binary that constitutes the entire tool—is now code-signed on Windows.
Great news for Deno! But because of what Deno can do, it's also good news for those who would do nefarious things with it.
Code signing is a guarantee that the binary you got is the one you're supposed to have. It's supposed to be a higher level of trust than simply a hash checksum, since this is Microsoft telling you a trusted developer shipped this program.
It also means (for now), that Defender SmartScreen gives deno.exe a pass.
So what can Deno do for the red team and the ne'er-do-wells? I've put together a small sampling of demonstrations of Deno's capabilities.
I'm focusing somewhat on the "ClickFix" attack vector, since it is so prevalent at the time of writing, and apparently so effective. So with each of these, I want you to imagine some version of a user opening Win+R and pasting a short command in.
The number of reported cyber incidents and online threats in Switzerland rose sharply last year, according to the National Cyber Security Centre (NCSC).
Last year, almost 63,000 cyber-related incidents were reported to the National Cyber Security Centre (NCSC) in Switzerland, an increase of 13,500 cases over the previous year. Between July and December, the NCSC recorded more than 28,000 incidents, slightly fewer than in the first half of 2024.
Fraud, phishing and spam messages continue to be the most frequently reported incidents. The increase on the previous year is mainly due to the phenomenon of false calls in the name of the authorities, with almost 22,000 reports compared with around 7,000 the previous year.
On the other hand, the number of e-mail threats has dropped. Over the past four years, fraudsters have used the telephone more as a communication channel.
Berne, 06.05.2025 — Le dernier rapport semestriel de l’Office fédéral de la cybersécurité (OFCS) montre comment les cybercriminels opèrent à l’échelle internationale et quels moyens ils utilisent pour diffuser leurs attaques. En raison des cybermenaces désormais mondiales et de la dépendance croissante aux solutions logicielles globales, la coopération interétatique gagne en importance dans ce domaine. Pour renforcer la cybersécurité en Suisse, l’obligation de signaler les cyberattaques contre des infrastructures critiques est entrée en vigueur le 1er avril 2025. Les principes de cette obligation sont harmonisés avec les normes internationales et les directives de l’UE.
Premier point de contact pour la population en cas de cyberincidents, l’OFCS reçoit déjà depuis 2020, via un formulaire en ligne, des signalements volontaires concernant des incidents survenus dans le cyberespace. L’analyse de ces signalements montre comment les cybercriminels opèrent à l’échelle internationale et développent de nouvelles méthodes et stratégies pour diffuser leurs attaques. Le dernier rapport semestriel de l’OFCS présente ces développements ainsi que la situation en matière de cybermenaces – en Suisse et dans le monde – au deuxième semestre 2024.
De juillet à décembre 2024, l’OFCS a reçu 28 165 signalements concernant des cyberincidents, soit un peu moins qu’au cours du premier semestre. Sur toute l’année 2024, il en a enregistré 62 954, soit 13 574 de plus que l’année précédente. Ces fluctuations s’expliquent principalement par les vagues d’appels au nom de fausses autorités. Le rapport entre les signalements de la population (90 %) et ceux des entreprises, associations ou autorités (10 %) est resté stable. S’agissant des entreprises, on constate une forte hausse des arnaques au président (719 en 2024 contre 487 en 2023). Comme à l’accoutumée, les catégories les plus fréquemment mentionnées par les personnes qui ont rempli le formulaire en ligne étaient « Fraude », « Hameçonnage » et « Spam ». En ce qui concerne les jeux-concours frauduleux, l’OFCS a même reçu au deuxième semestre 2024 trois fois plus de signalements que d’ordinaire.
A messaging service used by former National Security Advisor Mike Waltz has temporarily shut down while the company investigates an apparent hack. The messaging app is used to access and archive Signal messages but is not made by Signal itself.
404 Media reported yesterday that a hacker stole data "from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the US government to archive messages." 404 Media interviewed the hacker and reported that the data stolen "contains the contents of some direct messages and group chats sent using [TeleMessage's] Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat."
TeleMessage is based in Israel and was acquired in February 2024 by Smarsh, a company headquartered in Portland, Oregon. Smarsh provided a statement to Ars today saying it has temporarily shut down all TeleMessage services.
"TeleMessage is investigating a recent security incident," the statement said. "Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational."
Last week, Waltz was photographed using the TeleMessage Signal app on his phone during a White House cabinet meeting. Waltz's ability to secure sensitive government communications has been in question since he inadvertently invited The Atlantic Editor-in-Chief Jeffrey Goldberg to a Signal chat in which top Trump administration officials discussed a plan for bombing Houthi targets in Yemen.
Waltz was removed from his post late last week, with Trump nominating him to serve as ambassador to the United Nations.
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.
No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly.
Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries.
Introduction: The Silent Threat#
In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.
The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them.
Complete disk destruction
The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity.
Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute.
An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.
The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations.
“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket
The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a CMS used to manage and remotely control digital signage displays.
As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files.
This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On April 30, 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication.
Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability. Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.
29.04.2025 - L’Office fédéral de la cybersécurité (OFCS) observe une vague de tentatives de fraude au PDG qui perdure. La semaine dernière, de nombreux cas ont été signalés à l’OFCS dans lesquels des cybercriminels se font passer pour des dirigeants de communes afin d’inciter des employé/e/s à acheter des cartes cadeaux ou à effectuer des virements. La rétrospective hebdomadaire examine le modus operandi des cybercriminels, explique pourquoi les communes sont particulièrement exposées et donne des conseils pour que les communes (et toutes les autres victimes potentielles) puissent se protéger.
En raison de leur structure publique et de la disponibilité des informations sur les sites municipaux, les communes constituent une cible attractive pour les tentatives de fraude au PDG. Ces dernières semaines, de nombreux cas de ce type ont été signalés à l’OFCS. Les méthodes utilisées par les escrocs sont décrites ci-après, en particulier les deux procédures consistant soit à exiger des cartes cadeaux, soit à insister pour obtenir un paiement direct.
The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.
Security researchers warn that a popular open source tool maintained by Russian developers could pose significant risks to US national security.
Key Points:
The open source tool easyjson is linked to VK Group, a company run by a sanctioned Russian executive.
easyjson is widely used in the US across various critical sectors including defense, finance, and healthcare.
Concerns are heightened due to the potential for data theft and cyberattacks stemming from this software.
*Recent findings from cybersecurity researchers at Hunted Labs indicate that easyjson, a code serialization tool for the Go programming language, is at the center of a national security alert. This tool, which has been integrated into multiple sectors such as the US Department of Defense, is maintained by a group of Russian developers linked to VK Group, led by Vladimir Kiriyenko. While the complete codebase appears secure, the geopolitical context surrounding its management raises substantial concerns about the potential risks involved.
The significance of easyjson cannot be overstated, as it serves as a foundational element within the cloud-native ecosystem, critical for operations across various platforms. With connections to a sanctioned CEO and the broader backdrop of Russian state-backed cyberattacks, the fear is that easyjson could be manipulated to conduct espionage or potentially compromise critical infrastructures. Such capabilities underscore the pressing need for independent evaluations and potential reevaluations of software supply chains, particularly when foreign entities are involved.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
CVE-2025-3248 Langflow Missing Authentication Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
La Confédération n'avait pas établi de distinction entre les fournisseurs de services de communication dérivés. Toutes les entreprises classées comme FSDC sont soumises à des obligations de coopération moins strictes – jusqu'à présent. Le Conseil fédéral souhaite désormais introduire une catégorisation plus précise pour les FSDC. Il prévoit à cet effet un modèle à trois niveaux, à savoir les FSDC avec des obligations «minimales», avec des obligations «restreintes» et avec des obligations «complètes».
Une révision partielle des ordonnances relatives au service de surveillance de la correspondance postale et des télécommunications (service SCPT) fait des remous dans le secteur technologique suisse. La pierre d'achoppement est une nouvelle classification des entreprises qui doivent aider le service SCPT dans ses activités de surveillance.
Jusqu'à présent, la Confédération faisait la distinction entre les fournisseurs de services de télécommunication (FST) et les fournisseurs de services de communication dérivés (FSDC), selon un communiqué de la Confédération. La Confédération divisait également les FST en deux sous-catégories, à savoir ceux les FST ayant des obligations complètes et les FST ayant des obligations restreintes.
Trois nouveaux niveaux
La Confédération n'avait pas établi de distinction entre les fournisseurs de services de communication dérivés. Toutes les entreprises classées comme FSDC sont soumises à des obligations de coopération moins strictes – jusqu'à présent. Le Conseil fédéral souhaite désormais introduire une catégorisation plus précise pour les FSDC. Il prévoit à cet effet un modèle à trois niveaux, à savoir les FSDC avec des obligations «minimales», avec des obligations «restreintes» et avec des obligations «complètes».
DragonForce ransomware group is targeting major UK retailers. Learn about this evolving threat and what steps can be taken to mitigate risk.
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations.
Background
DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded.
The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage.
Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom.
Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software.
Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.
Vendor Package
Tigren Ajaxsuite
Tigren Ajaxcart
Tigren Ajaxlogin
Tigren Ajaxcompare
Tigren Ajaxwishlist
Tigren MultiCOD
Meetanshi ImageClean
Meetanshi CookieNotice
Meetanshi Flatshipping
Meetanshi FacebookChat
Meetanshi CurrencySwitcher
Meetanshi DeferJS
MGS Lookbook
MGS StoreLocator
MGS Brand
MGS GDPR
MGS Portfolio
MGS Popup
MGS DeliveryTime
MGS ProductTabs
MGS Blog
We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.
This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.
We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.
Research into a global phishing-as-a-service operation will take you through:
Hundreds of thousands of victims spanning the globe
A glimpse into the lifestyle of the operators
Technical insight into the phishing toolkit
The backend of a phishing threat actor operating at scale
The scam industry has seen explosive growth over the past several years. The types of scams and methods used are constantly evolving as scammers adapt their techniques to continue their activities. They often capitalise on new technologies and target areas where our societies have yet to build mechanisms to protect themselves.
This story begins in December 2023 when people all over the world – including a large portion of the Norwegian population - started to receive text messages about packages waiting for them at the post office. The messages would come in the form of an SMS, iMessage or RCS message. What we were witnessing was the rise of a scam technique known as smishing or SMS phishing.
Such messages have one thing in common: they impersonate a brand that we trust to create a credible context for soliciting some kind of personal information, thus tricking us into willfully giving away our information.
Some scams are easier to spot than others. Spelling errors, poor translations, strange numbers or links to sketchy domains often give them away. But even tell-tale signs can be easy to miss on a busy day. When a large number of people are targeted, some will be expecting a package. And the tactic is obviously working. If it wasn’t worth their while, the scammers wouldn’t have invested so much time, money and effort.
StealC V2 enhances information stealing, introduces RC4 encryption, and provides a new control panel for more targeted payloads.
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.
This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.
Key Takeaways
Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching.
When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone.
Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective.
Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages, 404 Media has learned. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.
The hack shows that an app gathering messages of the highest ranking officials in the government—Waltz’s chats on the app include recipients that appear to be Marco Rubio, Tulsi Gabbard, and JD Vance—contained serious vulnerabilities that allowed a hacker to trivially access the archived chats of some people who used the same tool. The hacker has not obtained the messages of cabinet members, Waltz, and people he spoke to, but the hack shows that the archived chat logs are not end-to-end encrypted between the modified version of the messaging app and the ultimate archive destination controlled by the TeleMessage customer.
